CCNA Security 2.0 PT Practice SA – Part 1

CCNA Security 2.0 PT Practice SA – Part 1 question and answer will be revealed in this post. Hopefully this will helps you guys to pass this CCNA Security 2.0 Packet Tracer Practice SA Part 1 successfully. However, our current answer now only 84% correct. If you have complete 100% answer, please comment below or email to me.

CCNA Security 2.0 PT Practice SA – Part 1

A few things to keep in mind while completing this activity:

Do not use the browser Back button or close or reload any exam windows during the exam.

Do not close Packet Tracer when you are done. It will close automatically.

Configure the Internal router to accept SSH connections. Use the following guidelines:Note: Internal is already configured with the username SSHAccess and the secret password ciscosshaccess.

The domain name is theccnas.com.

RSA encryption key pair using a modulus of 1024

SSH version 2, timeout of 90 seconds, and 2 authentication retries

All vty lines accept only SSH connections.

Configure the Internal router with server-based AAA authentication and verify its functionality:Note:The AAA server is already configured with RADIUS service, a username CORPSYS, and the password LetSysIn.

The key to connect to the RADIUS server is corpradius.

AAA authentication uses the RADIUS server as the default for console line and vty lines access.

The local database is used as the backup if the RADIUS server connection cannot be established.

Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/22. Allow the MAC address to be learned dynamically and to be retained in the running-config. Shutdown the port if a violation occurs.

Disable unused ports (Fa0/2-4, Fa0/6-10, Fa0/13-22).

Configure the trunk link on Fa0/23 and Fa0/24 on both Switch1 and Switch4

Disable DTP negotiation on the trunking ports.

Set the native VLAN as VLAN 50 for the trunk links.

Step 6: Configure an IOS IPS on the Internal Router.

On the Internal router, if asked to login, then login as CORPSYS with password LetSysIn. The enable secret password is ciscoclass.

Use the IPS signature storage location at flash:.

Create an IPS rule named corpips.

Configure the IOS IPS to use the signature categories. Retire the all signature category and unretire the ios_ips basic category.

Please be reminded that the current answer (on top section earlier) is 84% correct. If you have complete config that tested to be 100%, please let us know. Do drop comment below or email to admin@invialgo.com. Thank you.

209.165.200.252 is not a host address, it is the /30 network between CORP and INTERNAL.
On the radius host command we need to specify the AAA Radius server address which seems to be 172.16.25.2, right?

I follow the configuration posted but I constantly get a 92% due to the following:

1. *radius server line on Internal seems incorrect
Do we really need to config the “authentication” line?
What else might be wrong?
2. *Switch 4 does not accept the “switchport nonegotiate” line (all is ok with Switch 1)
It returns an error: Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status.

I followed Alexander’s work, got 75/100. In the feedback, everything was fully complete with the exception of Configuring Basic Router Security and Configuring ZBF being only partially complete. Under Line Timeout it says:

Because the command :
aaa authentication login default group radius local
is already apply everywhere by default ( I did the test in my lab).

You also don’t have to put this command :
aaa authorization exec default local
Because nowhere it is mentioned that you have to configure authorization, just authentication is needed.
Also you can go faster for the switch command with :

I’ve taken the test yesterday – I got 95 % but I assume that’s due to my try to do it on my own. Anyways, I just wanted to say the test is viable and anyone that is going to take that test can use it! Thank You guys, You are awesome!